We build. You grow.

Get best community software here

Start a social network, a fan-site, an education project with oxwall - free opensource community software

Get started
Google+

pasword reset security breach | Forum

Topic location: Forum home » Support » Bug reports and troubleshooting
C van Hirtum
C van Hirtum Mar 6 '13
I got a message from a user who points me on a security breach ? in the pasword reset procedure, he tells me the following:


i used a friends emailadres and confirmed it by the insecure password reset function which states if the account exists or not. This is also a security no no as anyone can check if their 'friend' is registered.


this is not something i want cause i like my users to have their privacy 

anyone has an idea how to fix this issue ?

#1
Alia Team
Alia Mar 11 '13

>>confirmed it by the insecure password reset function which states if the account exists or not.


Currently the text of the notice is " There is no user with this email address".

You can change it to something else in admin panel>>languages

{text key='base+forgot_password_no_user_error_message'}


For example to: "Entered email is incorrect".

#2
C van Hirtum
C van Hirtum Mar 12 '13

Thanks for this suggestion, it makes it little bit better....but still when a the email is right it will tell that it send resetcode so they still know if that email has an account or not...

 

#3
Start | Demo | About | Policies & Licenses | Blog | Contact Us | Oxwall Foundation | Roadmap | Developer Central | Oxwall hosting | Contribute | Partners | Donation | Community software | Dating software
© Copyright Oxwall Software
Oxwall Community Software